HIPAA Training

What is HIPAA?

HIPAA is an acronym for Health Insurance Portability and Accountability Act of 1996. It requires that “protected health information” or PHI be protected and handled confidentially, which includes how PHI is stored, who can access PHI, how PHI is transmitted, and how PHI is used.


For a short video on HIPAA privacy, click here.

Privacy And Security Rules


Privacy Rule

To protect the privacy of PHI that can identify a specific individual or person.


Security Rule

To set national standards for protecting electronic PHI.


Protected Health Information

PHI refers to individually identifiable health information which can be linked to a particular individual or person. It includes:

  • The individual’s past, present, or future physical or mental health
  • The provision of health care to the individual
  • The past, present, or future payment for the provision of health care to the individual


Common Identifiers And Examples Of Health Information


Common Identifiers

This includes:

  • Names
  • Social Security Numbers
  • Birth Dates
  • Addresses



This includes:

  • Care Plans
  • Wound Care Logs
  • Admissions & Referral Forms
  • Incident Reports


Who Is Covered?


Healthcare Providers

Any person or organization who furnishes, bills, or is paid for health care in the normal course of business, such as Nursing Homes, Hospitals, and ICF/MR’s.


Healthcare Plans

Any individual or group plan (or combination) that provides, or pays for the cost, of medical care, such as health insurance issuers (Blue Cross Blue Shield), HMOs, Group Health Plans, Medicare, Medicaid.


Healthcare Clearinghouse

Any company that translates data content or format for another entity from non-standard to standard or vice-versa.


Business Associates

A person or entity that performs a function for a covered entity which involves the use or disclosure of PHI. Some examples include:

  • Consultant
  • Attorney
  • Collection Agency
  • Medical Transcriptionist


Permitted Uses And Disclosures

The Privacy Rule allows you to use or disclose PHI as follows:

  • To the individual
  • For treatment, such as disclosing PHI to other healthcare professionals caring for the individual
  • For payment, such as claims billing, review services for coverage, or medical necessity
  • For healthcare operations which are the day-to-day operations necessary for quality care. Examples include verifying documentation and determining the quality of care provided by clinicians


Authorization Not Required

The following allows you to use or disclose PHI without the individual’s authorization:

  • As required by law
  • For public health activities
  • For victims of abuse, neglect, or domestic violence
  • For health oversight activities
  • For judicial and administrative proceedings
  • For law enforcement purposes
  • To avert a serious threat to health or safety
  • For specialized government functions


Authorized Uses And Disclosures Required

A signature from the individual or their personal representative is required to use PHI:

  • For use and disclosure of psychotherapy notes
  • For use and disclosures to third parties for marketing activities


Limiting Uses And Disclosures

When using or disclosing PHI, you should use only the minimum amount required to achieve the purpose of the particular use or disclosure. Please note that disclosures for treatment do not apply to this requirement.


State Law

If the state law is more protective of the individual, then it takes precedence over HIPAA.


Privacy Rights

An individual has the right to:

  • Receive a written notice describing your facility’s privacy practices on the first date of service
  • See or receive a copy of their medical record or other health information
  • Request that any incorrect information in their file be changed
  • Have PHI communicated to them by alternative means and at an alternative location to protect confidentiality
  • Request restrictions to the use and disclosure of their PHI
  • Request a history of disclosures of PHI for six years prior to the request
  • File a complaint regarding any privacy concern or breach of privacy with your facility or Department of Health and Human Services (HHS)


Keep Passwords Safe

Your password is private and personal. It is the connection to everything you access and save on your computer. Here are some suggestions for protecting the privacy of your password:

  • Never write your password on a post it note and place it on your computer.
  • Passwords are for your individual use.
  • Never email your password.
  • Never ask someone for their password or give them yours.



Here are a few important points to remember regarding HIPAA:

  • HIPAA law is evolving
  • Influenced by emerging patient needs
  • Affected by changing technology for collecting, storing, distributing and using PHI
  • Impacts our jobs
  • Impacts us as individuals who deserve to keep our own health information private, protected and secure



Q: Are we required to supply patients access to their medical records with a fixed time period?

A: Yes. By law, patients requesting access must receive copies of their medical records within 30 days of a written request.


Q: Does the HIPAA Privacy Rule apply to our company’s professional associates?

A: Yes. Compliance requirements include business associates, such as vendors, lawyers, accountants and sub-contractors.